Recovering from a WordPress Hack

by Greg Whitehead aka The WP CMS Ninja

What will you learn from this presentation?

Some of the signs your site has been hacked?

These are just a few of the signs that your site may be hacked and serving up unwanted content.

Scanning your site for a malware

There are tools out there like Sucuri that will do a scan of the front facing version of your site for vulnerabilities.

sucuri-sitecheck-results

This type of scan will usually tell you what they have found that is causing your site to show that it is infected with malware.

Some source code that hackers use

Here are some examples of what you will find as code that has been inserted into your site.

Some-source-code-that-hackers-use

Some of these are just a piece of the actual code that is either inserted into an existing file or the created a file with just their code in it.

No Shell Access

Another great tool is the Look-See Security Scanner. This is a plugin scans your system for files that have code matching known hacks or code injections.

look-see

It seams to do a pretty decent job as it even searches hidden directories and also checks permission levels. This can be resource heavy and may take a while to run. It also gives some false-positives but I would rather check a clean file than miss a hacked file.

WordPress FAQ for a hacked site

WordPress has a good resource, https://codex.wordpress.org/FAQ_My_site_was_hacked.

Sometimes it is the actual admin accounts and passwords that have been compromised. You should also update the SALT keys within your wp-config.php by generating new ones at, https://api.wordpress.org/secret-key/1.1/salt/ as well as changing your admin passwords.

 

Doing a search within phpMyAdmin

So usually in your hosting's control panel you are able to open up the phpMyAdmin that is connected to your databases.

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'

These are just some of the says that someone will have put malicious code into your posts trying to get people to their sites of malicious or advertising intent.

You will need to go through your posts as sometimes there are just links to unwanted medicines.

Initial steps to take when recovering

First step I usually do is download the version of WordPress that is currently installed, hopefully it is the current version. Then I replace all core files of a WordPress install. This includes the following files and directories.

If there are other files in the root folder with a .php extension except for the wp-config.php file I would recommend removing them as well unless you know what they are and what they are there for. The only customized files in WordPress should be within the wp-content directory which is where your plugins, themes, and uploaded media files are located.

Checking your blog for other files

Referencing the log file, you should go through the files that are questionable to see if they should be deleted or edited.

Here is an example of a file that someone uploaded and made it appear like it is a legit WordPress file. This file was not found using the eval search but instead I also searched for _POST to see what files were handling post variables.

Checking-your-blog-for-other-files

This file was found in the root folder of a site and its syntax matches what you would normally see in a WordPress file. This shows how resourceful hackers are in trying to get it so their file is bypassed when trying to find their files. If they were able to get this file up onto your site it would then give them the ability to upload any file they want to your system.

Another example using stand alone theme file

Here is another example of a hackers file with that would be found with the find eval call

Another-example-using-stand-alone-theme-file

Keep in mind when looking at files that the dates modified is one thing to look at but as this can be manipulated it can't always be trusted in finding files that have been modified.

A decoded example

On the previous slide I shared this example.

A-decoded-example-1

Which when decoded is the following code being evaluated.

A-decoded-example-2

This code is saying if the posted password matches, then do a run the decoded code posted to the variable code. In essence giving them the capability to run any php code they send giving them complete access to your accounts files.

Hosting Problems

Sometimes you run into a hack that is truly out of your control. Sometimes the vulnerabilities are within your hosting providers server.

Some hosting providers go above and beyond with protecting your sites from hackers and vulnerabilities:

These are just some of the hosting solutions out there that offer managed WordPress hosting.

Creating BackUps

So there are many different ways for someone to create a backup of their site:

Once you have a clean site

So once you have cleaned your entire site I would recommend doing the following:

Contact Information

Greg Whitehead | greg@inconcertweb.com
Sr. Web Application Developer
inConcert Web Solutions | inconcertweb.com

Personal: wpcms.ninja | greg@wpcms.ninja
Twitter: @WPCMSNinja & @BilliardGreg (I am a pool player with a career problem)
Facebook: www.facebook.com/WPCMSNinja
LinkedIn: www.linkedin.com/in/gwhitehead
Github: github.com/WPCMSNinja